Tuesday, September 04, 2007

Rolling Reviews: N-Stalker

Jordan Wiens of Network Computing released his review of N-Stalker and OUCH! Normally reviews contrasts a products strong points against the weaker ones, but this one was basically all bad. Good for Jordan in telling it like it is. He did highlight an interesting feature though, scanning integrated with log analysis. If the product had found a vuln the theory is you could see if someone had been trying to exploit it. Nice.

Next up is the last major scan Watchfire's AppScan. I'll be watching close on how well they handle Ajax since no one has faired well at all. It might be time to call BS on the "we support Ajax claims". Personally, I don't think the use of Ajax causes a website to be any more or less secure, but I do think it makes it harder to find vulnerabilities. The reviews are proving that much.

Of course, WhiteHat Security will have to take its turn under Jordan's firing squad in due time.

The one redeeming value of N-Stalker is it's very broad database of known issues. It is really quite bad about dealing with false positives, and if you have a site that responds with friendly file not found errors (including HTTP 200 OK responses), it's next to worthless. But for standard sites that happen to be running some obscure application that has a vulnerability, N-Stalker (and it's estranged sister Syhunt SandCat) are better than any other commercial app I've used at finding them.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!